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PARALLEL INTRUSION DETECTION 
SENSORS WITH LOAD BALANCING FOR 
HIGH SPEED NETWORKS 
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TECHNICAL FIELD OF THE INVENTION 

T^is invention relates to computer networks, and more 
particularly to prevention of unauthorized access to a local 
network from computers external to the local network. ^ 

BACKGROUND OF THE INVENTION 

Prevention of unauthorized access by outsiders to a com- 
puter network is a part of any network management pro- 
gram. This security problem has been complicated by recent 15 
trends in internetworking of a previously isolated private 
networks with value added networks, public networks (such 
as the internet), and with the networks of other enterprises. 

Firewalls are one approach to preventing unauthorized 
access. Essentially, a firewall is a control layer inserted 20 
between an enterprise's network and the outside. It permits 
only some traffic to pass through. The firewall is configured 
by the administrator of the local network based on the 
enterprise's security policy. For example, the firewall may 
block traffic of a certain type, traffic from certain addresses, 25 
or traffic from all but a predetermined set of addresses. 

Techniques used by network intruders for penetrating 
network system security have evolved in pace with sophis- 
ticated methods for detecting the intruders. Detection meth- 
ods include software solutions, specifically, software intru- 30 
sion detection systems, which continually monitor network 
traffic and look for known patterns of attack. 

When an intrusion detection system detects inappropriate 
activity, it generates appropriate alarms and provides other 
responses while the attack is occurring. For example, the 35 
intrusion detection system might report the attack, log the 
attack, and terminate the misused connection. 

One approach to intrusion detection relies on known 
patterns of unauthorized activity, referred to as "signatures". 4Q 
These signatures are stored, and, in real time, compared to 
the packet flow incoming to the network. If a match is found, 
the incoming datastream is assumed to be misused. 

Many existing intrusion detection systems are hostbased 
rather than network based. A host-based system resides on a 45 
particular host computer and detects only attacks to that 
host. A network-based system is connected at some point on 
a local network and detects attacks across the entire local 
network. 

As an example of network-based intrusion detection, one 50 
known pattern of unauthorized access is associated with "IP 
spoofing", whereby an intruder sends messages to a com- 
puter with an IP address indicating that the message is from 
a trusted port. To engage in IP spoofing, the intruder must 
first use a variety of techniques to find an IP address of a 55 
trusted port and must then modify the packet headers so that 
it appears that the packets are coming from that port. This 
activity results in a signature that can be detected when 
matched to a previously stored signature of the same activ- 
ity. 60 

SUMMARY OF THE INVENTION 

One aspect of the invention is a method of detecting 
unauthorized access on a network as indicated by signature 
analysis of packet traffic on the network. A plurality of 65 
intrusion detection sensors are connected at a network entry 
point associated with an internetworking device, such as a 
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router or switch. The packet load to the sensors is "load 
balanced", such that said packets are distributed at least at a 
session-based level. The load balancing may be at a lower 
(packet-based) level, which tends to more evenly distribute 
the load on each sensor but requires additional processing 
external to the sensors or requires sharing of session-level 
data between sensors. The sensors are used to detect signa- 
tures indicated by the packets. Packets indicating a compos- 
ite signature from multiple sessions are delivered to a 
network analyzer, which detects the composite signatures. 
The results of the detection performed by the sensors and the 
network analyzer are used to determine if there is an attempt 
to gain unauthorized access to the network. 

An advantage of the invention is that it provides a 
processor-based intrusion detection system that can keep up 
with the high traffic throughput of today's networks. Exist- 
ing sensors may be used, and the solution provided by the 
invention is easily scalable. 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 illustrates a typical computer network, with a 
"local network" protected by an intrusion detection system 
(IDS) sensor in accordance with the invention. 

FIG. 2 illustrates an intrusion detection system, used with 
a router that provides session-based load balancing, and 
having multiple sensors operating in parallel. 

FIG. 3 illustrates an intrusion detection system, used with 
a router that provides packet-based load balancing, and 
having multiple sensors operating in parallel. 

FIG. 4 illustrates an intrusion detection system, integrated 
into a switch, and having session-based load balancing to 
multiple sensors operating in parallel. 

FIG. 5 illustrates an intrusion detection system, integrated 
into a switch, and having packet-based load balancing 
to -multiple sensors operating in parallel. 

FIG. 6 illustrates an intrusion detection system, integrated 
into a switch, and having packet-based load balancing to 
multiple sensors operating in parallel, where the load bal- 
ancing is achieved with arbitration circuits at each sensor. 

DETAILED DESCRIPTION OF THE 
INVENTION 

The invention described herein is directed to a network 
intrusion detection system that accommodates the higher 
packet throughput enabled by today's high speed networks. 
Multiple intrusion detection sensors are used at the entry 
point to the network, specifically, at an "internetworking 
device" such as a router or a switch. These devices have in 
common the function of linking a local network to an 
external network, such as another local network or to a wide 
area network using a telecommunications link. 

As explained below, the internetworking device, whether 
a router or switch, is processor-based and includes load 
balancing programming, which controls how packets are 
distributed from the internetworking device to the sensors 
for processing. 

Two specific embodiments of the invention are described 
herein. A first embodiment provides multiple sensors at the 
output of a router. A second embodiment provides multiple 
sensors inside a switch. In both cases, each sensor is 
identical to the other sensors and is capable of performing 
the same intrusion detection processing. The sensors operate 
in parallel, and analyze packets to determine if any packet or 
series of packets has a "signature" that matches one of a 
collection of known intrusion signatures. Thus, the invention 
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provides an easily scalable aumiiuu io providing an intrusion 
detection system whose ability to perform signature analysis 
can keep up with high speed networks. 

For simplicity of description, each of the embodiments 
described herein is described in terms of signature analysis 
of packet datastreams incoming to a local network. 
However, the same concepts apply to outgoing traffic. 

Intrusion Detection System Overview 

FIG. 1 illustrates a typical computer network, with a 
"local network" 10 protected by an intrusion detection 
system (IDS) sensor 11 in accordance with the invention. 
The local network 10 is the network being secured, with the 
rest of the network being referred to herein as the "external 
network". It is assumed that local network 10 receives and 
sends data in "packets", which are switched between net- 
work segments via router 12. 

"Intrusion detection" is a term familiar in the art of 
network security. It includes the various attacks discussed 
herein, and in general, all types of misuse that may be 
indicated by signatures. 

Router 12 is of a type known in the field of networking, 
making connections between networks at the transport layer 
of the OSI model. Router 12 decides whether to forward a 
packet by examining the packet's protocol level addresses. 
Router 12 is capable of handling any datalink protocol, thus, 
ethernet, FDDI, ISDN, and so on are handled in the same 
manner. 

Router 12 inspects packets incoming from the external 
network to determine which should be forwarded into the 
local network 10. Similarly, packets originating in the local 
network are inspected to determine whether they are to be 
forwarded to the external network. As stated above, router 
12 is a type of "internetworking device" in that it is used to 
connect separate network segments. A characteristic of a 
router is its ability to communicate with other routers 
outside the local network 10 to determine the best routes for 
network traffic. 

As explained below, sensor 11 analyzes packets to deter- 
mine if traffic into and out from local network 10 is misused. 
Sensor 11 may be implemented as a hardware device or as 
a combination of hardware and software. Sensor 11 pro- 
cesses a packet by examining its header and payload, as well 
as its relationship to other packets in the data stream. It 
detects "signatures" associated with misused access, where 
a "signature" is an pattern of one or more events represented 
by strings of binary code. 

Although local network 10 is illustrated as having a 
"mesh" type topology, this is for purposes of example. Local 
network 10 could be any system of interconnected computer 
stations 10a, typically having a server 106 to function as a 
sort of gateway to network resources. 

Local network 10 may include an IDS manager station 
10c, which provides system management personnel with a 
user interface and system management functionality espe- 
cially directed to intrusion detection and response. In this 
case, sensor 11 might forward alarms to station 10c, which 
may then alert the system manager or automatically take 
action. Alternatively, sensor 11 may autonomously comprise 
the entire intrusion detection system. In this case, sensor 11 
may have appropriate functionality so that if it detects an 
intrusion, it can take appropriate action, such as terminating 
the connection. 

An example of a suitable IDS sensor 11 is the sensor 
device provided with the NETRANGER intrusion detection 
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system, available trom Cisco Systems, Inc. The 
NETRANGER product also includes director management 
software for use at station 10c. A feature of the 
NETRANGER sensors is their ability to monitor almost any 

5 type of IP (internet protocol) network, ranging from internet 
connections, LAN segments, and the network side of dial-in 
modems. The data link protocol might be any one of various 
types, such as ethemet, fast ethernet, token ring, or FDDI. 
However, other types of intrusion detection sensors (often 

to referred to as "signature processors") could be used and 
other types of protocols can be analyzed. 

In the example of this description, which is in terms of 
network traffic using the IP protocol, the packets incoming 
to local network 10 may adhere to various protocols running 

is on top of the IP protocol or to IP extensions. For example, 
the IP protocol may have a TCP or UDP protocol running on 
top of it. The TCP (transmission control protocol) enables 
two hosts to establish a connection and exchange streams of 
data and includes various delivery guarantees. The UDP 

20 (user datagram protocol) is used primary for broadcasting 
messages and provides few error recovery services. The 
ICMP (internet control message protocol) is an extension to 
IP and supports packets containing various error, control, 
and informational messages. 

25 In the example of this description, sensor 11 is capable of 
examining packets for each of these three IP protocols, i.e., 
TCP, UDP, and ICMP. In today's networking environments, 
these IP protocols cover most internet traffic. However, the 
same concepts could be applied to examination of other 

30 protocols, including alternatives to IP. 

Sensor 11 captures network data, and parses each packet 
before signature analysis occurs. Various capabilities of 
sensor 11 to support signature analysis include, but are not 
limited to, checksum verification, hop count checking, IP 

35 option checking, MTU checking for maximum packet size, 
IP fragment reassembly, and TCP stream reassembly, as well 
as pattern matching. 
The signatures detected by sensor 11 include those asso- 

4Q ciated with malicious intent attacks, denial of service 
attacks, evasion attempts, and other methods of misuse. 

Signature Analysis Overview 

Signature analysis uses one or more intrusion detection 
4 5 sensors 11, which are installed on a network segment and are 
transparent to network performance. For purposes of 
example, the operation of a typical intrusion detection 
sensor 11 is described herein. However, it should be under- 
stood that the basic concepts of the invention are not limited 
50 to a particular type of sensor, and can be applied in the 
context of any hardware/software configuration that is a 
intrusion signature "sensor" in that it performs signature 
analysis. 

A sensor 11 contains a detection engine, which examines 
55 each packet incoming to the sensor 11, including its header 
and payload. The sensor 11 also analyzes each packet's 
relationship to adjacent and related packets in the data 
stream. If the analysis indicates misuse, the sensor may act 
autonomously to take action, such as disconnection, or it 
60 may send an alarm to a separate intrusion detection man- 
agement station. 

The signature detection engine of a sensor 11 uses a 
signature recognition methodology that includes both con- 
text and content oriented signature analysis. Context- 
65 oriented signatures consist of known network service vul- 
nerabilities that can be detected by inspecting packet 
headers. Examples of context-oriented signatures are 
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SAJAN, TCP Hijacking, and IP spoofing signatures. 
Content-oriented signatures require the inspection of data 
fields within a packet to determine if an intrusion has 
occurred at the application level. These include e-mail and 
web attack signatures. A sensor U might also have the 5 
capability to be programmed to analyze packets for custom- 
ized signatures for a particular network. 

Signatures may also be categorized as being either atomic 
or composite. Atomic signatures comprise information 
(context or content) in a single packet. Composite signatures io 
comprise information in multiple packets. 

Network with Parallel Sensors External to Router 

FIGS. 2 and 3 illustrate two embodiments of an intrusion 
detection system, used with a router, having multiple sensors 15 
21 operating in parallel. In the example of this description, 
both embodiments have three sensors, but any number of 
sensors could be used. In each embodiment, the router has 
a load balancing unit, which distributes packets among the 
sensors. 

In the embodiment of FIG. 2, the load balancing is 
"session -based", which means that each sensor 21 handles a 
portion of the sessions incoming to the network. A stream of 
packets, SI, S2, . . . S6, . . . is illustrated. In the example of 
FIG. 2, the load balancing is such that SI goes to a first 
sensor, S2 to a second, S3 to a third, S4 to the first, and so 
on. Thus, each sensor 21 handles one -third of the sessions in 
a given datastream. 

A network analyzer 25 receives packets from different 3Q 
sessions, which may be used to detect certain types of 
composite signatures. For example, a "ping" type signature 
is indicated by multiple sessions that attempt to connect to 
different destinations with the local network. Single packets 
indicating ping behavior can be delivered to network ana- 35 
lyzer 25, which then monitors similar packets from different 
sessions to see if a ping pattern is indicated. In general, 
network analyzer 25 detects signatures of attacks against 
multiple hosts and different sessions. Such attacks are often 
detecting using statistical correlations. 4Q 

Network analyzer 25 can be implemented using state 
information. As an example, state information stored in 
network analyzer 25 may depend on the connectivity asso- 
ciated with a particular signature. For example, a ping sweep 
signature is a "one-to-many" signature because a source host 45 
transmits to a number of destination hosts. Analysis of the 
ping sweep signature, includes tracking the number of 
destination hosts to which a source host transmits an ICMP 
echo request packet. If the threshold of destination hosts is 
N, then a table of N-l addresses is maintained for each 50 
source host that has transmitted an ICMP echo request 
packet. Another example of a signature requiring network 
analyzer 35 is a signature known as a "TCP scan" signature, 
which is indicated by a series of connections from the same 
source to different hosts. 55 

FIG. 3 illustrates an alternative intrusion detection system 
30, also having a router 32 and parallel sensors 31, but where 
the load balancing is "packet-based". Router 32 has a load 
balancing unit 32a, which distributes a packet stream com- 
prised of packets PI, P2, . , . P6 . . . . The load balancing is go 
such that PI goes to a first sensor, P2 to a second, P3 to a 
third, P4 to the first, and so on. 

As explained above, IP traffic may contain various packet 
types, such as TCP, UDP, and ICMP. The packet-based load 
balancing is especially beneficial under "flooding" condi- 65 
dons. For example, packet flooding might result in a series 
of only TCP packets. Even in this situation, each sensor 31 



processes only one-third of the packets. Thus, even if the 
traffic is flooded with one type of packet, each processor will 
handle the same Load. 

Like intrusion detection system 20, system 30 uses a 
network analyzer 35, which detects signatures requiring 
packet information from packets of different sessions. As 
explained above, network analyzer 35 primarily detects 
correlations among signatures in different sessions. 

Additionally, system 30 has a session analyzer 36, which 
stores information used to detect signatures from different 
packets in the same session. For example, a first sensor 31 
might receive a packet indicating a signature that would be 
comprised of different packets from the same session. 
Because that sensor 31 does not necessary process all 
packets from the same session, the suspicious packet would 
be delivered to session analyzer 36, which would receive 
suspicious packets from other sensors 31, and determine 
whether the signature had been transmitted to the local 
network 10. Session analyzer 36 might be as simple as a 
counting mechanism, that counts signatures of a certain 
type. Or session analyzer 36 might process state 
information, such as determining that a packet indicates a 
state A, then determining if a second packet indicates a state 
B, etc. 

For the embodiments of both FIG. 2 and FIG. 3, the load 
balancing unit 22a or 32a could be implemented as software 
or hardware, or some combination of the two. Each sensor 
21 or 31 receives only the packets that it will process. 

For a software implementation of the load balancing unit 
22a or 32#, routing to sensors 21 and 31 can be performed 
with appropriate modifications to existing router software. 
Like other IP routing, the decision of which sensor 21 or 31 
will receive a particular packet (or session of packets) is 
determined by an address associated with the sensor. For 
example, each sensor 21 or 31 might have a unique IP 
address so that routing is performed as with other 
IP-addressed destinations. The sensors receive copies of the 
same packets that are destined to the local network. 
Specifically, a "copy to" operation is used to send each 
packet to the appropriate sensor as well as to the destination 
in local network 10 to which the packet is addressed. For 
example, router 21 may encapsulate the packet so that its 
new header information addresses the packet to the appro- 
priate sensor. The addressing to sensors 21 or 31 need not be 
IP addressing — various other transport addressing mecha- 
nisms could be used. 

If desired, the load balancing software can be pro- 
grammed so that certain destinations are included or 
excluded. For example, router 22 or 32 could be pro- 
grammed so that only packets destined for a given range of 
IP addresses are copied to intrusion detection sensors. Thus, 
if router 22 or 32 were connected to two local networks, only 
packets incoming from the external network could be 
directed to the sensors and not packets being transported 
between the local networks. 

Network with Sensors Internal to Switch 

FIGS. 4-6 illustrate various configurations for using 
intrusion detection sensors operating in parallel, internal to 
a switch. As explained below, FIG. 4 illustrates an intrusion 
detection system with session-based load balancing, 
whereas the systems of FIGS. 5 and 6 have packet-based 
load balancing. FIGS. 4 and 5 illustrate two different ways 
of using a load balancing unit within the switch, whereas 
FIG. 6 illustrates an arbitration circuit at each sensor. Either 
session -based or packet-based load balancing may be used 
with any of the three techniques for distributing packets. 
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Fur pui puses of in is description, a "switch" is a muhipori embodiment, packets from the same session may be distrib- 

device that filters and forwards packets between network uted to different sensors 51. 

segments. It operates at multiple layers of the OSI model and Rather than receiving and retransmitting packets, load 

therefore is capable of supporting any packet protocol. A balancer 52 delivers control signals to sensors 51. These 
switch may or may not include routing capabilities, and in 5 control signals communicate to each sensor 51 which pack- 

the former case, is sometimes referred to as a routing switch. c ts are to be processed by that sensor 51. 

As stated above, a switch is a type of "internetworking" For pac ket-based load balancing, switch 50 has both a 

device. An example of a suitable switch, and the one used for network analyzer 55 and a session analyzer 56. These 

purposes of example herein, is the CATALYST 6000 switch elements operate in a manner similar to the network ana- 
manufactured by Cisco Systems, Inc. This switch has a io i yzers 25, 35, 45 and session analyzer 36 described above, 

backplane and bus architecture to which sensors may be , n ^ embodimcnts of both nG< 4 and FIG . 5f Ioad 

easily connected, typically by connecting one or more balancin ^ achicvcd ^ a load ba i aDcing unit cxter nal to 

pnnted circuit boards, each havmg circuitry for one or more ^ TwQ ahcrnativc mcans for distributmg packcts 

sensors. are described — one involving re transmittal of packets 

For purposes of this description, only those elements of through the load balancer and the other involving the use of 

the switch relevant to intrusion detection are illustrated. A control signals to the sensors. These techniques could be 

typical high speed data switch has a complex internal interchanged for session-based and packet-based load bal- 

structure with various buffers and control structures other ancing. 

than shown in FIGS. 3-6. FIG. 6 illustrates a variation of a packet-based load 

FIG. 4 illustrates a switch 40 having internal intrusion balancing switch> a switch 60 whose sensors 61 each have 

detection sensors 41. Switch 40 has multiple ports each aQ arbitration circuit 61a for determining packet distribu- 

having an associated port adapter 44 and each capable of (ion M arbitration bus 67 ^nits, among the sensors 61, 

supporting a single end station or another network. Packets contro] signals used t0 packel di^uti^ 

are forwarded by switch 40 based on the destination address arbitration circuit 61a at the front end of each sensor 61 

Essentially, the operation of switch 40 is such that its control determines which packets sha n be analyzed by that sensor, 

unit 43 ensures that only packets having a certain address are Although the embodiment of FIG. 6 is shown as being 

output from the port associated with that address. packet-based, session-based arbitration could also be per- 

Ahigh speed internal bus transports packets within switch formed and would eliminate the need for shared signature 
40. As an example, internal bus might transport data at a rate 3Q me mory 66. 
of 16 gigabits per second, whereas the output from each port 

44 is 100 megabits per second. Thus, the packet throughput Other Embodiments 

internal to switch 40 exceeds the throughput of any output ^ ^ t has ^ ^ 

port on the switch 40 In a bus-based switch such as switch / sho uld be understood that various changes, 

40, sensors 41 may be connected onto the bus but the 3J substitmi wd alterations can be made heret0 

invention could be implemented with other switches with ^ ^ an<J rf ^ M 

different internal transport mechanisms. For example the ^ & ^ 

invention could be implemented with a "worm-hole routing What is claimed is- 

type switch. ... 1. A method of detecting unauthorized access on a net- 
For purposes of intrusion detection, it is assumed that no 4Q wQrk ^ indicated by si g na ture analysis of packet traffic on 

single sensor could process all packets being, processed by ^ miWQTkt the steps of: 

the switch 40. A sensor at each port would not have access * . * . j . 

toallpackets.Thesolution,asUlustratedinFlG.4,istheuse providing * plurality of intrusion detection sensors at a 

of multiple intrusion detection sensors 41 and a load bal- " etwork ^ P omt associated wlh an internetworking 

ancer 42 internal to switch 40. Load balancer 42 distributes device, 

traffic so that each sensor 41 processes only one Nth of the balancing the packet load to said sensors, such that said 

traffic in and out of switch 40, where N is the number of packets are distributed at least at a session-based level; 

sensors 41. detecting signatures indicated by said packets delivered to 

Sensors 41 may be substantially the same as sensors 21 said sensors; 
and 31 of FIGS. 2 and 3. Various types of sensors 41 can be 50 delivering packets indicating a composite signature from 

used, with the common characteristic being that each sensor multiple sessions to a network analyzer; 

41 analyzes packets to determine if unauthorized intrusion is detecting composite signatures delivered to said network 

indicated. analyzer; 

In the embodiment of FIG. 4, load balancer 42 provides using the results of said detecting steps to determine 

"session-based" load balancing, where all packets for a 55 unauthorized access to said network, 

particular session are delivered to the same one of sensors 2. The method of claim 1, wherein said internetworking 

31. Load balancer 42 operates by inspecting each packet of device is a router, and wherein said sensors are attached 

the entire stream of network traffic and retransmitting them between said router and a local network, 

to the appropriate sensor 41. 3. The method of claim 1, wherein said internetworking 

Sensors 41 each access a network analyzer 45, which 60 device is a switch, and wherein said sensors are integrated 

accommodates signatures that require analysis of packets into said switch. 

from more than one session. Network analyzer 45 is similar 4. The method of claim 1, wherein said balancing step is 

to the network analyzers 25 and 35 described above, and performed by distributing said packets at a packet-based 

receives packets from sensors that indicate an attack across level, and further comprising the steps of delivering packets 
multiple sessions. 65 indicating a composite signature to a session analyzer and of 

FIG. 5 illustrates an alternate embodiment, a switch 50, using said session analyzer to detect signatures indicated by 

which implements "packet-based" load balancing. In this packets delivered to it. 
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work as indicated by signature analysis of packet traffic on 
the network via a router, comprising the steps of: 

providing a plurality of intrusion detection sensors 

between said router and a local network; 5 
balancing the packet load to said sensors, such that said 
packets are distributed at least at a session -based level; 
detecting signatures indicated by said packets delivered to 
said sensors; 

delivering packets indicating a composite signature from 

multiple sessions to a network analyzer; 
detecting composite signatures delivered to said network 

analyzer; 

using the results of said detecting steps to determine is 
unauthorized access to said network. 

6. The method of claim 5, wherein said balancing step is 
performed by distributing said packets at a packet-based 
level, and further comprising the steps of delivering packets 
indicating a composite signature to a session analyzer and of 20 
using said session analyzer to detect signatures indicated by 
packets delivered to it. 

7. A method of using a switch to detect unauthorized 
access on a network as indicated by signature analysis of 
packet traffic on the network via the switch, comprising the 2s 
steps of: 

providing a plurality of intrusion detection sensors within 
said switch; 

balancing the packet load to said sensors, such that said 
packets are distributed at least at a session-based level; 30 

detecting signatures indicated by said packets delivered to 
said sensors; 

delivering packets indicating a composite signature from 
multiple sessions to a network analyzer; 35 

detecting composite signatures delivered to said network 
analyzer; 

using the results of said detecting steps to determine 
unauthorized access to said network. 

8. The method of claim 7, wherein said balancing step is 40 
performed by distributing said packets at a packet-based 
level, and further comprising the steps of delivering packets 
indicating a composite signature to a session analyzer and of 
using said session analyzer to detect signatures indicated by 
packets delivered to it. 45 

9. The method of claim 7, wherein said balancing step is 
performed by a load balancing unit of said switch. 

10. The method of claim 7, wherein said balancing step is 
performed by an arbitration circuit at each said sensor and an 
arbitration control bus linking said sensors. 50 

11. An intrusion detection system for use with a network 
router that delivers traffic to a local network, comprising: 

a plurality of intrusion detection sensors connected to a 
communications link between said router and said local 
network, each said sensor operable to operate in par- 55 
allel to perform signature analysis on packet traffic 
distributed by said router to said sensors on at least a 
session-based level; and 

a network analyzer operable to receive packets indicating 
a composite signature from multiple sessions and to 60 
analyze signatures indicated by said packets delivered 
to it. 

12. The system of claim 11, wherein said router distributes 
said packets at a packet-based level, and further comprising 

a session analyzer that receives packets indicating signatures 65 
from different packets of the same session and detects 
signatures indicated by said packets delivered to it. 



is. An improved switch for providing intrusion detection 
for switched network traffic, the improvement comprising: 
a plurality of intrusion detection sensors integrated within 

said switch, each said sensor operable to operate in 

parallel to perform signature analysis on packet traffic 

distributed within said switch; 
a load balancing unit for distributing packets on at least a 

session -based level to said sensors; and 
a network analyzer operable to receive packets indicating 

a composite signature from multiple sessions and to 

detect signatures indicated by said packets delivered to 

it. 

14. The switch of claim 13, wherein said load balancing 
unit distributes said packets at a packet-based level, and 
further comprising a session analyzer that receives packets 
indicating signatures from different packets of the same 
session and detects signatures indicated by said packets 
delivered to it. 

15. The switch of claim 13, further comprising a bus that 
carries network traffic within said switch to ports of said 
switch and wherein said sensors are directly connected to 
said bus. 

16. The switch of claim 13, wherein said load balancing 
unit operates by receiving packets and re-transmitting them 
to said sensors. 

17. The switch of claim 13, wherein said load balancing 
unit operates by delivering control signals to said sensors. 

18. An improved switch for providing intrusion detection 
for switched network traffic, the improvement comprising: 

a plurality of intrusion detection sensors integrated within 
said switch, each said sensor operable to operate in 
parallel to perform signature analysis on packet traffic 
distributed within said switch; 

an arbitration bus linking each said sensor for communi- 
cating arbitration control signals among said sensors, 
said arbitration control signals operable to distribute 
packets to said sensors on at least a session-based level; 

an arbitration circuit associated with each said sensor for 
generating said arbitration signals; and 

a network analyzer operable to receive packets indicating 
a composite signature from multiple sessions and to 
detect signatures indicated by said packets delivered to 
it. 

19. The system of claim 18, wherein said arbitration bus 
distributes said packets at a packet-based level, and further 
comprising a session analyzer that receives packets indicat- 
ing signatures from different packets of the same session and 
detects signatures indicated by said packets delivered to it. 

20. A method of detecting unauthorized access on a 
network, comprising the steps of: 

providing a plurality of intrusion detection sensors at a 
network entry point associated with an internetworking 
device; 

balancing a packet load to said sensors, such that packets 

are distributed at a packet-based level; 
detecting signatures indicated by said packets delivered to 

said sensors; 

delivering packets indicating a composite signature to an 
analyzer; 

detecting a composite signature delivered to said ana- 
lyzer; 

using the results of said detecting steps to determine 
unauthorized access to said network. 

21. A method of detecting unauthorized access on a 
network, comprising the steps of: 
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providing a pi m an iy ui intrusion uciecuon sensors 

between a router and a local network; 
balancing a packet load to said sensors, such that packets 

are distributed at a packet-based level; 
detecting signatures indicated by said packets delivered to 5 

said sensors; 

delivering packets indicating a composite signature to an 
analyzer; 

detecting a composite signature delivered to said ana- 1D 
lyzer; 

using the results of said detecting steps to determine 
unauthorized access to said network. 

22. A method of using a switch to detect unauthorized 
access on a network, comprising the steps of: 15 

providing a plurality of intrusion detection sensors within 
said switch; 

balancing a packet load to said sensors, such that packets 

are distributed at a packet-based level; 
detecting signatures indicated by said packets delivered to 

said sensors; 

delivering packets indicating a composite signature to an 
analyzer; 

detecting a composite signature delivered to said ana- 25 
lyzer; 

using the results of said detecting steps to determine 
unauthorized access to said network. 

23. An intrusion detection system for use with a network 
router that delivers traffic to a local network, comprising: 30 

a plurality of intrusion detection sensors connected to a 
communications link between said router and said local 
network, each said sensor operable to operate in par- 
allel to perform signature analysis on packet traffic 



20 



distributed by said router to said sensors on a packet- 
based level; and 
an analyzer operable to receive packets indicating a 
composite signature and to detect a composite signature 
indicated by said packets received. 

24. A switch for providing intrusion detection for 
switched network traffic, the switch comprising: 

a plurality of intrusion detection sensors integrated within 
said switch, each said sensor operable to operate in 
parallel to perform signature analysis on packet traffic 
distributed within said switch; 

a load balancing unit for distributing packets on a packet- 
based level to said sensors; and 

an analyzer operable to receive packets indicating a 
composite signature and to detect a composite signature 
indicated by said packets received. 

25. A switch for providing intrusion detection for 
switched network traffic, the switch comprising: 

a plurality of intrusion detection sensors integrated within 
said switch, each said sensor operable to operate in 
parallel to perform signature analysis on packet traffic 
distributed within said switch; 

an arbitration bus linking each said sensor for communi- 
cating arbitration control signals among said sensors, 
said arbitration control signals operable to distribute 
packets to said sensors on a packet-based level; 

an arbitration circuit associated with each said sensor for 
generating said arbitration signals; and 

an analyzer operable to receive packets indicating a 
composite signature and to detect a composite signature 
indicated by said packets received. 
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